diff --git a/debian/README.Debian b/debian/README.Debian index 23127da43..9dc82b534 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,7 +1,18 @@ -fwupd for Debian ----------------- +signed vs unsigned fwupd programs +------------------------------------ -fwupd is still heavily in development. As of this date, the functionality -it provides is not yet available on most systems. +fwupd 1.1.0 is configured to understand when to use a signed version +of the EFI binary. If the signed version isn't installed but secure +boot is turned on, it will avoid copying to the EFI system partition. + +This allows supporting secure boot even if not turned on at install, or +changed later after install. + +In Ubuntu, both fwupd-signed and fwupd are seeded in the default +installation. Nothing is installed to the ESP until it's needed. + +In Debian, the package name for the signed version is slightly +different due to different infrastructure. fwupd-signed-$ARCH and +fwupd should both be installed and then things will work similarly +to what's described above. - -- Daniel Jared Dominguez Wed, 20 May 2015 17:16:02 -0500 diff --git a/debian/changelog b/debian/changelog index 42e25e00d..0d45db90d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,20 @@ fwupd (1.1.0-1) UNRELEASED; urgency=medium + [ Steve Mcintyre ] + * Initial support for UEFI Secure Boot in Debian infrastructure + + When building, also generate a fwupdate-$ARCH-signed-template package + which contains metadata needed by the Debian signing service. This + will end up being turned into a new source package including a signed + version of the fwupdate binary. + + [ Mario Limonciello ] * New upstream version (1.1.0) * Drop patches merged upstream. * debian/control: - Add a patch from upstream that will add gnu-efi to dependencies - No longer recommends for fwupdate as it has been merged into fwupd. + * Adjust infrastructure for fwupdate signed package to be used by fwupd signed + package -- Mario Limonciello Thu, 12 Jul 2018 08:28:32 -0500 @@ -80,7 +90,7 @@ fwupd (1.0.3-1) unstable; urgency=medium fwupd (1.0.2-1) unstable; urgency=medium * New upstream version - * Drop patch for doing libsmbios on only supported architectures, + * Drop patch for doing libsmbios on only supported architectures, now upstream. -- Mario Limonciello Tue, 28 Nov 2017 09:36:57 -0600 @@ -299,7 +309,7 @@ fwupd (0.9.4-1) experimental; urgency=medium * Correct a cleanup rule * Drop intltool build dependency * Re-enable PIE for builds - * Add additional build dependencies that will be needed for generating + * Add additional build dependencies that will be needed for generating capsule graphics * debian/control: sort build-dependencies * Drop packaging from debian/, it will be git mv'ed from contrib/ upstream diff --git a/debian/control b/debian/control index c6a3ba2f6..ff7fdf942 100644 --- a/debian/control +++ b/debian/control @@ -166,3 +166,31 @@ Description: GObject introspection data for libfwupd . It can be used by packages using the GIRepository format to generate dynamic bindings. + +Package: fwupd-amd64-signed-template +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-i386-signed-template +Architecture: i386 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-armhf-signed-template +Architecture: armhf +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-arm64-signed-template +Architecture: arm64 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. diff --git a/debian/control.in b/debian/control.in index 80f7c057b..619e8f017 100644 --- a/debian/control.in +++ b/debian/control.in @@ -120,3 +120,31 @@ Description: GObject introspection data for libfwupd . It can be used by packages using the GIRepository format to generate dynamic bindings. + +Package: fwupd-amd64-signed-template +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-i386-signed-template +Architecture: i386 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-armhf-signed-template +Architecture: armhf +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-arm64-signed-template +Architecture: arm64 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. diff --git a/debian/gen_signing_json b/debian/gen_signing_json index 9c5e40bf6..d8f44809c 100755 --- a/debian/gen_signing_json +++ b/debian/gen_signing_json @@ -1,6 +1,6 @@ #!/bin/sh # -# Generate a json file to go in the the fwupdate-signed template +# Generate a json file to go in the the fwupd-signed template # package. Describes exactly what needs to be signed, and how. DIR=$1 @@ -12,7 +12,7 @@ OUT="$DIR/files.json" BINARY=$(find debian/tmp -name '*.efi' | xargs basename) # Actually needs full path within the binary deb -BINARY="usr/lib/${SOURCE}/${BINARY}" +BINARY="usr/lib/${SOURCE}/efi/${BINARY}" rm -f $OUT diff --git a/debian/rules b/debian/rules index a8a465911..e955e757d 100755 --- a/debian/rules +++ b/debian/rules @@ -22,12 +22,23 @@ ifeq ($(DEB_TARGET_ARCH),$(filter $(DEB_TARGET_ARCH),amd64 i386 armhf arm64)) export UEFI=-Dplugin_uefi=true endif +SB_STYLE := debian +ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes)) + SB_STYLE := ubuntu + tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz +else + TMPLDIR := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template +endif + %: [ -f debian/control ] || debian/rules regenerate_control dh $@ --with gir,systemd override_dh_auto_clean: regenerate_control rm -fr debian/build +ifeq (ubuntu,$(SB_STYLE)) + rm -rf debian/fwupd-images +endif override_dh_auto_configure: if pkg-config --exists libsmbios_c; then \ @@ -46,6 +57,20 @@ override_dh_install: #this is placed in fwupd-tests rm -f debian/fwupd/usr/lib/*/fwupd-plugins-3/libfu_plugin_test.so +ifeq (debian,$(SB_STYLE)) + # Generate the template source for the Debian signing service to use + mkdir -p $(TMPLDIR)/source-template/debian + cp -a debian/signing-template/* $(TMPLDIR)/source-template/debian + cp debian/README.Debian $(TMPLDIR)/source-template/debian + find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNARCH,$(DEB_HOST_ARCH)," + find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNVERSION,$(deb_version)," + for file in $$(find $(TMPLDIR)/source-template/debian -type f -name *SIGNARCH*); do file1=$$(echo $$file | sed "s,SIGNARCH,$(DEB_HOST_ARCH),"); mv -v $$file $$file1; done + install -m 0755 debian/fwupd.postinst $(TMPLDIR)/source-template/debian/fwupd-$(DEB_HOST_ARCH)-signed.postinst + install -m 0755 debian/fwupd.postrm $(TMPLDIR)/source-template/debian/fwupd-$(DEB_HOST_ARCH)-signed.postrm + ./debian/gen_signing_changelog $(TMPLDIR)/source-template/debian fwupd $(DEB_HOST_ARCH) + ./debian/gen_signing_json $(TMPLDIR) fwupd ${DEB_HOST_ARCH} +endif + override_dh_strip_nondeterminism: dh_strip_nondeterminism -Xfirmware-example.xml.gz @@ -53,3 +78,14 @@ override_dh_auto_test: if [ -x /usr/bin/valgrind ] ; then \ dh_auto_test; \ fi + +override_dh_builddeb: + dh_builddeb -- -Zxz +ifeq (ubuntu,$(SB_STYLE)) + mkdir -p debian/fwupd-images/$(deb_version) + cp debian/tmp/usr/lib/fwupd/efi/fwupd*.efi debian/fwupd-images/$(deb_version) + echo $(deb_version) \ + > debian/fwupd-images/$(deb_version)/version + cd debian/fwupd-images && tar czvf ../../../$(tar_name) . + dpkg-distaddfile $(tar_name) raw-uefi - +endif diff --git a/debian/signing-template/README.source b/debian/signing-template/README.source index 0b4b35809..36fb03e83 100644 --- a/debian/signing-template/README.source +++ b/debian/signing-template/README.source @@ -1,4 +1,4 @@ This source package is generated by the Debian signing service from a -template built by the fwupdate package. It should never be updated directly. +template built by the fwupd package. It should never be updated directly. -- Steve McIntyre <93sam@debian.org> Sat, 07 Apr 2018 12:44:55 +0100 diff --git a/debian/signing-template/changelog.in b/debian/signing-template/changelog.in index ae5fca047..188ab7947 100644 --- a/debian/signing-template/changelog.in +++ b/debian/signing-template/changelog.in @@ -1,4 +1,4 @@ -fwupdate-SIGNARCH-signed (1) unstable; urgency=medium +fwupd-SIGNARCH-signed (1) unstable; urgency=medium * Add template source package for signing diff --git a/debian/signing-template/control b/debian/signing-template/control index fb5656a3d..c25ec6e56 100644 --- a/debian/signing-template/control +++ b/debian/signing-template/control @@ -1,23 +1,23 @@ -Source: fwupdate-SIGNARCH-signed +Source: fwupd-SIGNARCH-signed Priority: optional Maintainer: Debian EFI Uploaders: Daniel Jared Dominguez , Steve McIntyre <93sam@debian.org>, Mario Limonciello -Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupdate (= SIGNVERSION) [SIGNARCH] +Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupd (= SIGNVERSION) [SIGNARCH] Standards-Version: 4.1.3 Section: libs -Homepage: https://github.com/rhinstaller/fwupdate -Vcs-Git: https://salsa.debian.org/efi-team/fwupdate.git -Vcs-Browser: https://salsa.debian.org/efi-team/fwupdate +Homepage: https://github.com/hughsie/fwupd +Vcs-Git: https://salsa.debian.org/efi-team/fwupd.git +Vcs-Browser: https://salsa.debian.org/efi-team/fwupd -Package: fwupdate-SIGNARCH-signed +Package: fwupd-SIGNARCH-signed Section: admin Architecture: SIGNARCH -Depends: ${shlibs:Depends}, ${misc:Depends}, fwupdate (= SIGNVERSION}) +Depends: ${shlibs:Depends}, ${misc:Depends}, fwupd (= SIGNVERSION}) Description: Tools to manage UEFI firmware updates (signed) - fwupdate provides functionality to update system firmware. It has been + fwupd provides functionality to update system firmware. It has been initially designed to update firmware using UEFI capsule updates, but it is designed to be extensible to other firmware update standards. . - This package contains just the signed version of the fwupdate binary, + This package contains just the signed version of the fwupd binary, needed if your system has UEFI Secure Boot enabled. It depends on the - normal fwupdate package for everything else. + normal fwupd package for everything else. diff --git a/debian/signing-template/copyright b/debian/signing-template/copyright index 0ead317b3..60f02e118 100644 --- a/debian/signing-template/copyright +++ b/debian/signing-template/copyright @@ -1,24 +1,24 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: fwupdate -Source: https://github.com/rhinstaller/fwupdate - -Comment: - This file describes only the fwupdate-signed-SIGNARCH source package. Its - binary packages are built largely from source in the fwupdate source - package. Look there for more details. +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: fwupd +Source: https://github.com/hughsie/fwupd Files: * -Copyright: 2014-2015 Peter Jones -License: GPL-2.0+ +Copyright: 2015 Richard Hughes +License: LGPL-2.1+ + +Files: data/tests/colorhug/firmware.metainfo.xml +Copyright: 2015 Richard Hughes +License: CC0-1.0 Files: debian/* -Copyright: 2015-2018 Daniel Jared Dominguez , Steve McIntyre <93sam@debian.org> -License: GPL-2.0+ +Copyright: 2015 Daniel Jared Dominguez + 2015 Mario Limonciello +License: LGPL-2.1+ -License: GPL-2.0+ +License: LGPL-2.1+ This package is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, @@ -26,8 +26,8 @@ License: GPL-2.0+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . - You should have received a copy of the GNU General Public License + You should have received a copy of the GNU Lesser General Public License along with this program. If not, see . - On Debian systems, the complete text of the GNU General - Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + On Debian systems, the complete text of the GNU Lesser General + Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1". diff --git a/debian/signing-template/rules b/debian/signing-template/rules index 1f804fb68..96dfcbbc0 100755 --- a/debian/signing-template/rules +++ b/debian/signing-template/rules @@ -1,14 +1,14 @@ #!/usr/bin/make -f # -*- makefile -*- -SIGNATURE_DIR := debian/signatures/fwupdate -BINARY := $(shell find /usr/lib/fwupdate/ -name '*.efi') +SIGNATURE_DIR := debian/signatures/fwupd +BINARY := $(shell find /usr/lib/fwupd/efi/ -name '*.efi') %: dh $@ override_dh_auto_build: - mkdir -p debian/${PACKAGE_NAME}/usr/lib/fwupdate + mkdir -p debian/${PACKAGE_NAME}/usr/lib/fwupd/efi cp $(BINARY) debian/${PACKAGE_NAME}/$(BINARY) sbattach --attach $(SIGNATURE_DIR)/$(BINARY).sig debian/${PACKAGE_NAME}/$(BINARY) mv debian/${PACKAGE_NAME}/$(BINARY) debian/${PACKAGE_NAME}/$(BINARY).signed